SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for log2timeline-0.65-5.2.noarch.rpm :
Tue Oct 2 14:00:00 2012 Greg.FreemyerAATTgmail.com
- rm %doc docs/
* # these were redundant and duplicative of other files
- rm fdupes lines which were attempting fix the above issue
- for opensuse 12.2 and newer duplicate all Requires as BuildRequires so that \"make test\" succeeds in %check section
- Version 0.65
- [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
- [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
- [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
- [TEST] Added few more tests.
- other bug fixes, see CHANGELOG

Tue May 29 14:00:00 2012 Greg.FreemyerAATTgmail.com
- Version 0.64
- Added docs/LICENSE_GRANTING (See BNC#744529)
- This file contains copies of 2 emails granting GPL publishing rights to 2 of the perl modules
- [TESTSUITE] Added the first version of a test suite to the tool.
- All tests are located inside the t/ directory.
- Tests should be constructed for ALL possible uses of the tool, not limited to:
- Raw parsing of logs using input modules.
- Correct output for output modules.
- Correct output from each function inside modules/libraries.
- The first TEST suite is raw and not nearly complete, needs loads of stuff to be \'proper\' but it is a start.
- [LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
- [Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
- Changed the exclusion list so it can be easily changed
- Added a call to ->end on each input module if verification failed.
- Minor bug fixes in the main engine.
- Changed wording when an output module is loaded (from \"Loading output file\" to \"Loading output module\").
- [CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path
to the code that describes the transition types.
- [SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool
not to include SKYPE data when recursive mode was set on.
- Also fixed UTF-8 support, should properly display UTF-8 by now.
- [PREFETCH input] Small changes to the verification module.
- [WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
- [SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them
being compiled for each insert, using transactions instead of writing them constantly to the DB, and other minor tweaks
to make the DB output faster than before (since it was increadibly slow before).
- [CHROME input] Small bug to fix UTF-8 support.
- [FIREFOX3 input] Small bug to fix UTF-8 support.
- [PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive
is turned on.
- [RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive
is turned on.
- [LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
- [MFT input] Fixed a bug with Unicode support.
- [RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
- [SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
- [EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
- Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the
slightly changed one distributed by the tool, causing the module to not work.
- Removed small additional debugging text from the iehistory module (shouldn\'t be printed unless we have debug turned on).
- Fixed a small bug in the _open_file function.

Tue Apr 17 14:00:00 2012 Greg.FreemyerAATTgmail.com
- Version 0.63
- several modules have had their documentation updated and code reformed to reflect recent release of a style guide
for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
portion of making the modules easier to use/understand/develop.
- All libraries within the tool and the main API have been rewritten with this in mind, making \'man\' documentation considerably
more useful than it was.
- [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
- This makes it possible to output using this method and then sorting is simpler since it does not require the module
to read in the csv and change it into something like a hash, since it is already stored as such.
- This migh become the default output of the tool, and then run l2t_process on that output, turning that into CSV
instead of using CSV as default and trying to filter that output.
- This also makes it easier to filter, based on certain attributes, instead of at the line level.
the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
- [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
- [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
This was pointed to me by Svante
- [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
option/parameter is used.
- [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
- [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
due to the keys being prefilled with the CMI-CREATE....
- [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
- [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
- [SETUPAPI input] Added a \'detailed_time\' check, to reduce the text inside the alert by default, unless detail option used.
- [log2timeline] Updated the man page to reflect updates to the \'detailed_time\' changes to setupapi input module.
- [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
- [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
- [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
not properly verified.
- [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
yet complete, style guide.
- [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
- Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
message if debug is turned on.

Wed Nov 23 13:00:00 2011 Greg.FreemyerAATTgmail.com
- Version 0.62
- [FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
- [OPENVPN input] New input module, desigend to parse the OpenVPN log files.
- [L2T_PROCESS] Added a few more allowed characters in the keyword list
- [proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
- [Log2Timeline library] Fixed a bug, when the \'all\' moduiles option is used (or -f is omitted) no modules get loaded
- Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
- Fixed a small bug whereas the tool would crash if the local timezone was used.
- Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in
question does not really exist that the tool is pointing to... that made the tool return a double error instead of
just dying on the first one.
- The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
- [log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
- [CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output
timezone than the host one.
- [EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is
somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty
timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop.
Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
- [log2timeline-sift] Moved the mount command out of the script and into the configuration file
- Changed the mount command, since there were few errors with the previous one
- Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)

Sat Oct 8 14:00:00 2011 Greg.FreemyerAATTgmail.com
- Version 0.61 (26/09/2011)
- [log2timeline] Small changes to the version printing (now prints just the last portion of the path)
- Now the engine checks if the format field is set and omits it if its set (to facilitate input modules like CSV that define it)
- Changed the list modules, added the SAM database readout in the winxp and win7 list files.
- Created the winsrv list file
- Added the MFT module to all windows list files (just in case they use a driver that displays the $MFT file)
- Fixed an issue with the tool not accepting the described format of the offset variable (should be +- int with the appended hms (optional))
- Added a try/catch around get_time, http://bugs.log2timeline.net/show_bug.cgi?id=2
- [L2T_CSV input] Added an input module that reads the CSV format of log2timeline (done to make it easier to convert CSV files into another format)
- [extra/bash_completion] Added a bash_completion script, stored inside the extra/bash_completion.d directory (need to copy it manually in the first go)
- Can make it easier to complete the paramaters to the tool in
*NIX
- [l2t_process] Fixed some timezone settings, or more created some temporary solutions to bug http://bugs.log2timeline.net/show_bug.cgi?id=4
- [SQLITE output] Changed the schema considerably, along other smaller changes to the SQLite output
- [TIME library] Fixed a bug in ftk2date (http://bugs.log2timeline.net/show_bug.cgi?id=7) - timestamps without ms values are not properly parsed
- [PREFETCH input] Slightly modified the debug information in the verification step
- [MCAFEE input] Slight changes in output from the verification routine.
- Added newline skipping in verification subroutine (code donated anonymously)
- [ALTIRIS input] New input module to parse the AeXAMInventory and AeXProcessList files from Altiris (donated anonymously)
- [MCAFEEFIREHUP input] New input module to parse the McAfee FireEpo, FireSvc, FireTray, UpdateLog files (donated anonymously)
- [MCAFEEHEEL input] New input module to parse the McAfee HIPS event.log (donated anonymously)
- [SYMANTEC input] New input module to parse Symantec log files (donated anonymously)
- [MCAFEEHS input] New input module to parse the McAfee HIPShield Log File (donated anonymously)
- [ANALOG_CACHE input] New input module to parse the cache log produced by Analog (log parser), user contributed, written by Willi Ballenthin.
- [FTK_DIRLISTING input] Bug fixed in the ftk_dirlist module, the actual file name was repeated in the output... http://bugs.log2timeline.net/show_bug.cgi?id=6
- [SAFARI input] John Ritchie mad a small bug fix to the module, changing how the timestamp object got defined
- [IE_HISTORY input] Fixed a bug in the module. time1 and time2 somehow got mixed up, reversed the order so that time1 is properly defined as the modification time,
instead of being marked as the access time (and vice versa) - thanks to Jamison Bosco for notifying me
- Small fix, updated the module so that if both time1 and time2 are the same, to join them in a single time

Mon Aug 8 14:00:00 2011 Greg.FreemyerAATTgmail.com
- update to 0.60. This is a major update with major changes. The entire workflow of using log2timeline changes. Do not take this update casually.
- [Log2Timeline library] Created a new library that contains the main engine in log2timeline. All the funcionality of the tool is moved to this library,
making the front-ends mostly there to process parameters sent to the tool. Some core changes made to how the engine is handled, making it necessary to
update all the input modules. The output module all had a constructor, however it was not used that much, so some changes were made to all output modules
as well, to transfer some variables needed by some of the output modules.
- Small changes to the time zone settings. Instead of using the short name for the timezone, the long name is used throughout the tool
- [log2timeline] Changed the front-end to be able to use the new engine. Removed most of the functionality out of the tool into the new structure.
With the changes to the engine more options have been added to log2timeline, including the possibility of guessing the format of a file (no need to specifically
telling the front-end which module to use to parse the file, although it is possible). Also possible to do recursive searches, making timescanner really unneeded.
- [timescanner] Changed the front-end to be able to use the new engine. It is basically the same tool now as log2timeline, however it will continue to use the same
parameters as the older version of timescanner and default to recursive behaviour instead of a single file parsing as log2timeline does.
- [l2t_process] Changed the tool so that it removes duplicate entries from the timeline. Also print out few statistics in the end.
- It checks for suspicious entries indicating timestomping that fall outside the date range (that is entries that have only second precision in the MFT module)
- Now accepts a file containing keywords, to compare against. The keyword file should contain a single keyword per line. The keywords are then compared against
every line that passes the date filter. Only lines that have a match against those keywords is printed out.
- changed parameters slightly, to match with those of the main tool (log2timeline)
- Added a simple scatter plot creation. Only applicaple if you are parsing the MFT. The scatter plot takes all files that are stored inside the windows/system32
directory and plots the MFT numbers on X-axis and creation time (both $SI and $FN) on the Y-axis, to quickly spot outliers in the data set that might be indication
of a malware.
- When the scatter plot is drawn a simple process is run to detect outliers in the dataset and print those
- [skype_sql INPUT] Added a new input module that parses the main.db, the SQLite database that belongs to Skype. Basic module that parses only basic entries from the
db, later versions will parse the database in more details.
- [PreProcessing] Added a pre-processing library. Now it is possible to extract information gathered from the drive before the tool starts.
- [win_sysinfo PreProc] New module in the pre-processing library. A simple library that extracts the hostname of the machine and prints the timezone information
before
- [user_browser PreProc] New module in the pre-processing library. A simple library that goes through each user profile searching for the default browser of
that particular user. The information is both printed on screen and then used in the browser input modules (to indicate whether or not this is the default
browser of that particular user)
- [MFT input] New input module that parses the $MFT file (NTFS filesystem), ported from the tool analyzeMFT written by David Kovar
- [NTUSER input] Removed the userassist input module and replaced it with a NTUSER one (better name anyway).
- The module now contains a recursive scanner, where it begins checking if it can parse the key (has a special parsing capability for a partiular key, and
if not, it will print the key\'s name and LastWritten time (a la regtime).
- The module will then end by getting deleted entries (method gathered from deleted.pl, written by Jolanta Thomassen and distributed on the SIFT.
- [SOFTWARE input] New input module to extract timestamps from the SOFTWARE registry hive.
- [JP_NTFS_CHANGE] New input module that takes the output from the tool jp (NTFS Change Log), which is a CSV file
- [SYSTEM input] New input module to extract timestamps from the SYSTEM registry hive.
- [SECURE input] New input module to extract timestamps from the SECURITY registry hive.
- [SAM input] New input module to extract timestamps from the SAM registry hive, along with basic SAM parsing
- [bug reporting] Added a bug tracking system for the tool, available at bugs.log2timeline.net
- [xp_firewall INPUT] Fixed a minor bug in the tool where the seconds got omitted (loosing precision on the date)
- [CFTL output] Changed the output slightly, adding file name to the output for instance
- [SIMILE output] Changed the output slightly, adding file name to the output for instance
- [IIS input] The second parameter was not parsed properly, making the module only accurate to the minute, fixed that.
- [USERASSIST input] Added one more check in the verify function. There were reports of files that contain the magic value for a registry file, yet the reglibrary
was unable to retrieve the root key, making the tool crash
- [TIME library] Fixed the output of the get_cur_time called by the recursive scanner to print the current time. The problem was representation of the time, could
be 23:1:42... not it is fixed so that it is 23:01:42
- [EVTX input] Made small changes to include a URL pointing to further information about the event, and events in general for Win 2008.
- Also fixed a small bug where the tool was unable to retrieve text content from an attribute
- Also added a small translation from AccessList codes to \"human readable\" form, for file auditing
- [CSV/TAB output] Changed both modules to use the short time zone name instead of the long one in the output.
- Removed tab characters from description/title to prevent text to spread over tabs in Excel
- [MACTIME output] Fixed a small issue when the source type is file
- [EVT input] Fixed the EVT module, it produced two timestamps per entry, even though both timestamps were the same, now it checks and only includes one
if they are the same
-  [TLN/TLNX output] Fixed a small issue when the source type is file
-  [SQLITE output] Fixed a small issue when the source type is file
- [extra FOLDER] Created a small folder called extra that contains some extra scripts, such as a script to remove the log2timeline from the system
- [glog2timeline] Removed the glog2timeline GUI, at least for the time being. It has to be ported to the new engine, and until then it is removed.
- [MSSQL_ERROR] A new input module that parses the MS SQL errorlogs
- [GENERIC_LINUX] A new input module for generic linux log files, contributed by Tom Webb
- [ENCASE_DIRLISTING] A new input module for importing the text file exported from Encase (file listing), it supports the text based export with all columns
- [L2T_PROCESS] Added a small tool to process body files with the CSV output, similar behavior as mactime for the mactime body format
- [MACTIME input] Fixed a problem with the import of mactime timestamps, now the tool groups together timestamps of the same value. This means that when
outputting using other modules than mactime there is only one line printed for each timestamp available, instead of always printing four.
- [Parse::Evtx Library] Updated the EVTX library to version 1.0.7 (with small changes to the source code for it to properly work with L2t)
- [LOG2TIMELINE] Added a -F or force option to make the tool ignore the verification phase and go ahead to try to parse the file
- [TIMESCANNER] Changed the format sort, to make generic linux below in format order than syslog
- Added a small print out before the tool\'s being run, for logging purposes
- Changed the default output module to CSV instead of mactime
- [TIME library] Added a function called get_cur_local_time to get the current local time (in human readable format)
- Added a function encase2date to handle the date objects from the Encase file export
- [BINREAD library] Added a small check to see if we\'ve reached the end of the file during unicode reading
- [EVTX input] Added information from the data tag into the output
- [BUILD] Updated the RPM spec file, unSpawn sent me an updated file, since I haven\'t maintained it for a while. Verified by unSpawn to work on a CentOS 5

Fri Feb 18 13:00:00 2011 Greg.FreemyerAATTNorcrossGroup.com
- initial packaging, version 0.51


  
ICM